The breach was brought to light by a Berlin-based security researcher named Sébastien Kaul, who discovered that the Voxox-managed database was discoverable, unprotected, and easily searchable for both names and telephone numbers. Since the server was still active after the breach was discovered, anyone could have monitored a near-real-time data stream to find the relevant two-factor authentication code sent after trying to log into someone else’s account. Only after being contacted by TechCrunch did Voxox take down the database, which contained text messages sent to customers from companies including Google, Amazon, and Microsoft.

[The Verge]

Try Google Authenticator, Microsoft Authenticator, Authy. But please use one. You may also consider an even higher protection with Titan keys.

You can check if you’re affected using Hav I been pwned?